Patients’ Health Data Rights and Precision Medicine

February 26, 2016

The recent Precision Medicine Initiative Summit at the White House saw dozens of private entities committing to join with the administration in supercharging the effort to enroll one million patients into precision medicine research programs, collecting and securely sharing data about them – including genomic data – all in an effort to crack the code of intransigent medical conditions and provide answers and therapies in a “precision” manner, looking for solutions that serve each patient best. (Also referred to as the N of 1 approach.) NIH is on the Precision Medicine bus as well.

President Obama took part in the proceedings (see White House video in this post) and in addressing the reach of the initiative, he noted that “precision medicine … is … empowering individuals to monitor and take a more active role in their own health.” This was a striking statement, and it has a number of implications. For our present purposes, the key issue thus raised by the President is that of the inextricable link between precision medicine, information access and participatory medicine.

In the weeks leading up to the PMI Summit, OCR has worked to reframe and re-communicate the “rules of the road” for health data privacy and security, taking this opportunity to burnish communications about HIPAA and clarify all parties’ rights and responsibilities under these rules — particularly emphasizing patient empowerment when it comes to health data.

This confluence of communications brings to mind the HITECH Act — part EHR promotion, part beefing up of health data privacy and security rules. Just as the HITECH Act and OCR were helpful in pre-emptively calming potentially anxious constituencies about security in the face of digitization, so, too, the PMI and OCR seek to present a unified front: let’s harness “big data” to solve big problems in healthcare, but let’s be sure that patients have a seat at the table through equal access to patient data and control of patient data.

What is notable about the recent government issuances regarding HIPAA — through an excellent series of blog posts and guidance (and blogposts about the guidance) — is that there is no new law or regulation on the books. The federales (including, notably, Jocelyn Samuels, Deven McGraw and Lucia Savage) have simply taken this opportunity to review a range of issues that have come to their attention (whether through the government’s developer portal for HIPAA questions or otherwise) and to clarify the official position on a wide range of issue regarding HIPAA compliance. The key thrust of the blog posts and fact sheets with real-life scenarios is to remind everyone out there that HIPAA supports interoperability “because it gives providers permission to share PHI for patient care, quality improvement, population health, and other activities.” The posts and the embedded fact sheets go into some detail on “situations in which a covered entity is permitted, but not required, to use and disclose PHI without first having to obtain a written authorization from the patient.” More specifically, (a) permitted uses and disclosures: what they are, and how they advance the national goal of interoperability, (b) examples of exchange of health information for care coordination, care planning, and case management, both between providers, and between provider and payers examples of interoperable, permissible exchange of PHI for quality assurance and population-based activities,

The guidance entitled Individuals’ Rights under HIPAA to Access their Health Information (including FAQs) also clarifies and explains existing rules rather than breaking new ground. OCR deals with a tremendous volume of complaints and inquiries and has stated that it is not able to do much beyond inform a covered entity that it ought to release records when a complaint regarding noncompliance with a request is filed. It appears to be the agency’s hope that clearer explication of the rules as they exist will drive the regulated community to a better compliance posture, particularly in light of the long-promised increased attention to enforcement coming from the agency.

One key element of the guidance that seems to break new ground (but is presented as a clarification) is the section regarding permissible fees that may be charged to patients seeking copies of their medical records. Given the significant volume of discussion that has surrounded this particular issue over the years, it is worth delving into this portion of the guidance in detail. (Though given the direction of health innovation, it is worth noting that the copying and passing of records back and forth will no doubt soon be accomplished through more modern means — see, e.g., Flow Health, a client). It has previously been a commonplace that state laws and regulations regarding the prices that covered entities may charge patients for copies of medical records may not be disturbed by federal law. This guidance takes the opposite tack, essentially stating that the HIPAA rules on reasonable charges for copies of medical records pre-empt state law (unless the state-authorized fee is both reasonable and cost-based, i.e., calculated on the same basis as the HIPAA-authorized fee), and setting out the permissible charges (as a “clarification,” not as a new rule) thus:

The fee may include only the cost of certain labor, supplies, and postage:

. . . . Labor includes only labor for creating and delivering the electronic or paper copy in the form and format requested or agreed upon by the individual, once the PHI that is responsive to the request has been identified, retrieved or collected, compiled and/or collated, and is ready to be copied.

Supplies for creating the paper copy (e.g., paper, toner) or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media . . . [but] individuals have the right to have their PHI e-mailed or mailed to them upon request.

Labor to prepare an explanation or summary of the PHI, if the individual in advance both chooses to receive an explanation or summary and agrees to the fee that may be charged.

Postage, when the individual requests that the copy, or the summary or explanation, be mailed.

The guidance goes on to say that no other costs may be charged to patients even if authorized by state law. (That includes: no labor costs for reviewing the record request, searching for and compiling responsive materials,etc.)

The guidance states that even though the rules allow “the limited fee described above, covered entities should provide individuals who request access to their information with copies of their PHI free of charge, [especially in cases of financial need]. Providing individuals with access to their health information is a necessary component of delivering and paying for health care.” (Emphasis supplied.) (That’s something I’ve been saying for a long time. Between payment for health care services and the incentive programs underwriting EHR adoption, providers have been paid enough to permit them to deliver copies of records to patients without charge. ONC rulemaking has hinted that once we have APIs running Health IT, copying records should be cost and charge free, and OCR here also notes “that as technology evolves and processes for converting and transferring files and formats become more automated, we expect labor costs to disappear or at least diminish in many cases.”)

Finally, the guidance offers specifics on calculating reasonable costs for copies of health records: (1) actual costs (limited to the actual costs necessary to fulfill the actual request), (2) average costs (typical permissible labor cost, plus actual cost of media and postage if any) or (3) a flat fee of $6.50 per record.

The twin announcements of the Precision Medicine Initiative and the HIPAA enforcement posts and guidance emphasize the government’s decision to cotinue down a path — on its own, and as a prod to other actors in the public and private sectors — to harness “big data” to solve big problems in healthcare, while ensuring all the while that the data used in the process is maintained in a secure and private manner, and making sure that patients have a seat at the table through equal access to patient data and control of patient data.